Many of today’s cyber systems are engineered with a networked layer model, which is different from the way traditional space systems were designed. Legacy space systems are typically a collection of subsystems supporting space and ground segments. Because of the different engineering methodologies that went into establishing space and cyber systems, key science and technology investments need to be made to reconcile these systems in the acquisition and engineering processes, allowing for truly integrated space and cyber systems.

All stakeholders (e.g., acquirers, contractors, operators, mission users) involved in space systems are actively considering how to approach the mission challenges of developing and operating space-cyber systems. The considerations are strategic (e.g., what science and technology investments need to be made in new space-cyber situational awareness capabilities of the future) and tactical (e.g., what operational changes could lead to better use of existing resources). Space cyber refers to the physical instantiation of cyber capability onto space platforms. Cyberspace is the information technology infrastructure that makes up the global domain of the information environment.

Space systems are topologically information technology (cyber) systems overlain onto specific platforms residing in the space environment. There are many technologies that are capable of crossing the boundaries between space and cyber, and these must be considered when developing an architecture methodology for integration. For example, many of today’s space and cyber systems share service-oriented measures of effectiveness and performance. These metrics assess accessibility, adaptability, autonomy, availability, capacity, coverage, delay, latency, reliability, robustness, scalability, speed, survivability, and timeliness.

The metrics associated with information gathering, transfer, and exploitation is an area where systems engineers are working to develop mutually acceptable requirements definitions for space-cyber systems. Defining a mutual taxonomy can lead to changes in the systems engineering process and insight into where to invest in the science and technology strategies of the future. The approach is to have network- and cyber-savvy designers help space systems engineers accomplish the transformation to service-oriented functional overlays provided by space-cyber systems.

Resilience in the Face of Cyberattack

U.S. space policy calls for increased assurance and resilience of mission-essential functions for a wide spectrum of commercial, civil, scientific, and national security spacecraft and infrastructure when confronted by disruptions or degradation from various sources. The mission assurance goal in the face of a cyberattack is to develop an overall space-cyber approach that allows for rapid reconstitution or reallocation of functionality and tasks using the cyber capabilities of space-based systems including common communications nodes and shared/distributed processing nodes for joint situational awareness. The approach to integration must involve multiplatform investments in mutually defensive capabilities.

The defined set of mission assurance capabilities for an integrated approach to space cyber must allow for dynamic reconfiguration of space-cyber systems in a cluster or constellation in response to threats of multiple types, including kinetic and nonkinetic. Dynamic space-cyber options would allow for active defense of space-based capabilities. The protections established should be flexible enough to adapt to changing mission requirements and have greater mitigation options for on-orbit failures. Mission stakeholders will then be able to begin planning for cyberattacks well in advance, increasing confidence in the overall operability and mission assurance of fractionated systems.

In the past, space system designers had to wait decades to inject new enabling technologies for satellite block upgrades on monolithic legacy space systems. Space-cyber integrated systems design offers increased operability and robustness over traditional space system approaches. Adopting emerging space-cyber systems engineering techniques will allow for more rapid upgrades to block systems and new techniques for processors, distributed processing capabilities, and varied communication and bandwidth allocation approaches. It also offers a path toward faster, more flexible development cycles.

The space community would benefit from creating an integrated set of testbeds to rapidly iterate among possible niches of various space-cyber genotype and design combinations. It would be beneficial to address the flexibility and robustness aspects by creating more flexible space/ground link combinations for the command and control/satellite operations (C2/SO) systems. The science and technology strategies could be iterated within the testbeds or implemented in a more robust and flexible networked C2/SO system of systems.

The underlying research of developing an integration approach must be designed to investigate the limits of space systems as cyber-physical systems within the context of complex systems. It may be best to take existing complex system research lines, which are well established, and look for the strongest overlaps with space-cyber systems.

Space systems and cyber systems have been on an intersecting path for science and technology development investment for quite some time. Space-cyber integrated systems design offers increased operability and increased space-cyber robustness over traditional space system approaches. There is a strong risk/opportunity trade worth investigating, aspects of which have been a part of prior research for fractionated systems, which had a heavy networking and cyber component. If an “architecting” or analytic methodology can be created to allow for rapid trades amongst candidates to explore their functional capability, it should be possible to make decisions for a better space-cyber system with the desired autonomy, flexibility, and robustness. The objective is to use cyber technologies and applications to enable operability improvements or upgrades as needed.

The Aerospace Corporation is working closely with its customers to develop integrated testbeds in cyber. The priority is to develop the ability for analysis of the genotypes (designs) and phenotypes (behaviors, i.e., autonomy, flexibility, and robustness) that will be involved in the research process with an emphasis on the satellite operations and infrared intelligence, surveillance, and reconnaissance of the overhead persistent infrared systems (ISR/OPIR). An important step is to identify whether the infrared functions can be devised as services that allow missions to repurpose the physical sensor systems. This will also offer capability for the introduction of new sensor technologies while ensuring legacy sensor systems can continue to be used as they are integrated with new technologies.

Much work has been accomplished in the space and cyber science and technology investment strategies, but refinements to optimize the marriage of the two are ongoing. There is a need for continued discussion on this nationally critical topic that will guide future investment strategies. A disciplined methodology is called for that can accept and use emergent behaviors of advanced technologies, particularly to support key decision processes and augment human decision-making. The ultimate goal is a national security space robust architecture that is a standards-based, net-centric, service-oriented virtual enterprise.

Achieving Mission Resilience for Space Systems

Space systems need enhanced resiliency to ensure performance of critical functions and overall mission operations during a cyberattack. Aerospace is investigating various approaches to achieving such resilience for current and future programs.

Space assets are an integral part of cyberspace. As such, they are directly and indirectly connected to supporting systems with varying levels of assurance and security. These highly distributed systems provide a broad attack surface to adversaries. Additionally, the reuse, complexity, and interoperability of spacecraft components often results in systems with interconnected legacy components (whose security posture is unknown) and insecurely configured hardware and software. These systems provide minimal support for resiliency and countermeasures and limited, if any, cyberspace situational awareness.

As part of its efforts in space-program research, guidance, and experimentation, The Aerospace Corporation is developing a set of architectural and operational recommendations to enhance space mission resilience against cyberattacks. These include the application of architectural frameworks, constellation design practices, software engineering methods, and cyberspace command and control models.

Architectural Frameworks for Resiliency

The software architecture is the design blueprint that specifies the components of a system, the organization of those components, and the rationale for why the particular component structure will meet system requirements and stakeholder expectations. An architecture that is incorrectly or poorly defined often leads to costly reimplementation, induced complexities, legal challenges, and even project failure. Far worse, even if the system is eventually built and deployed, poor architectural design may introduce weaknesses that render the system vulnerable to a multitude of cyberattacks.

An organized approach to evaluating a software architecture can reduce the cost, schedule, and cybersecurity risks that result from improper design. Aerospace has developed a framework to do just that.

The architecture framework includes a set of “dimensions”—categorized lists of focused questions that probe different aspects of the software architecture during each phase of a program’s lifecycle. These initially addressed general qualities such as flexibility, availability, and interoperability as well as specific space concerns such as reprogrammability and information assurance. A resiliency dimension has been added to specifically address the growing threat of cyberattacks. It covers complexity, integration, priorities, degraded operation, and failure recovery. A sufficient cyber defense must consider which functions are critical to accomplishing the mission, which components and subsystems accomplish those functions, and how are those components and subsystems organized. Resilience must be engineered in the context of attacks that can jeopardize mission-critical functions and capability. Of particular interest are attacks that result in loss of data, loss of command and control, or loss of availability or that involve jamming of communications or telemetry, injection of spurious input, and spoofing or deception of received signals.

More work is required to fully evaluate the resiliency of space systems to cyberattack. Lower-level implementation, integration, and the operational environment are additional areas that need to be considered.

Several programs have already undergone architecture evaluations that included the resiliency dimension, and the experience gained has been invaluable in strengthening the understanding of resiliency and how it is achieved and assessed in space architectures. Aerospace is continuing to refine the resiliency dimension by applying the framework to more programs and incorporating the results of ongoing internal research.

Resilient Constellation Designs

A functional concept of cyberspace operations and the operational environment. Courtesy of U.S. Air Force.

Space segment architectures have traditionally focused on satellites designed to meet large sets of static mission requirements through a projected service life of ten years or more with limited update capability. Increasingly, however, system designers have begun to recognize that these space systems need to be modified in a shorter time span and need to accommodate changing mission requirements and technology advances. As a result, the perspective of what satellites are has begun to change. Satellites are no longer seen as massive pieces of durable hardware, but rather as systems providing a series of services—e.g., acquiring useful data, storing it, packaging it into higher-level products, and downlinking it to users or ground sites. By separating the services required of space systems from the payloads that provide them, program architects can develop systems with inherently greater resilience.

One such approach is known as fractionation. In a fractionated architecture, the traditional monolithic satellite is replaced by a spaceborne cluster of interconnected modules. These modules operate on a common wireless network that allows them to share resources (in this context, shareable resources are the services provided by space systems—data processing, data storage, and space-to-ground communication). Free-flying payload modules can be supported by one or more infrastructure modules that simultaneously provide services to all payloads within the cluster. Common infrastructure modules can be maintained, exchanged, and upgraded independently from the payload modules and dynamically tasked based on changing conditions (e.g., updates to payload priority, mission criticality, or the current state of the cluster).

A fractionated architecture offers significantly more flexibility, responsiveness, robustness, and survivability than a traditional monolithic spacecraft. To begin with, the services provided by the spacecraft are no longer physically connected; therefore, modules can be developed, manufactured, integrated, and tested in parallel. This functional partitioning, combined with the smaller size of the modules, leads to shorter design and build cycles and more frequent opportunities to insert new technology. Modules can be launched separately, which implies shorter times to initial operating capability and a reduced risk from a single catastrophic launch failure.

Fractionated architectures also offer greater resilience against cyberattacks because of the reconfigurable nature of the network. Real-time network management and fault tolerance can provide multiple routing paths around the cluster, including rapid and autonomous reconfiguration in the face of network degradation, component failure, or the addition or removal of resources. Network-level safe modes that protect the cluster from cyberattack (or switch to modes that continue to operate through the cyberattack) can be coupled with vehicle-level safe modes to ensure continued safety of the network as well as the individual modules. These are all based on the cluster’s capability to autonomously reconfigure itself to retain safety- and mission-critical functionality despite network degradation or component failures.

Some technical and operational gaps must be addressed before fractionated architectures can be widely introduced. Current concepts for fractionation require the development of advanced technologies (e.g., wireless communications, networking, information assurance, cluster flight), though upfront work in standardization of interfaces and protocols will reduce the development complexity for future spacecraft systems. Current concepts also require a significant amount of onboard autonomy, which presents significant challenges in the areas of software development; fault detection, isolation, and recovery; network management; and verification/validation of safety-critical, distributed, real-time, and dynamically reconfigurable software. Also, although they are highly resilient, fractionated systems may be inherently more vulnerable to cyberattack than traditional spacecraft because they replace the internal spacecraft harness with a wireless network. Despite these challenges, the potential benefits in flexibility, survivability, and resilience continue to make fractionation an attractive option for future architecture studies.

Flight Software Resiliency

Spaceflight systems will need to evolve to include operating strategies to mitigate the emerging cybersecurity threat. In the near term, additional computing resources can be used to implement mitigation techniques that have been proven effective terrestrially. In the medium term, flight systems will need to redefine mission assurance, fault management, and the notion of safe mode to include resiliency. Future systems will need to have a risk-based approach to both autonomous and human-in-the-loop fault management that preserves operating capability. Finally, the long-term solutions for flight systems will probably incorporate new technologies that provide detection and avoidance that are still very much research ideas. High-level design tools will need enhancements to appropriately model the cost/benefit trade-offs for cyberattack resilience.

Some of the near-term mitigations that can be applied to flight systems include:

Isolation kernels. Future flight systems will include operating systems (kernels) that provide separation of privileges, memory, and other resources. Current systems rely on monolithic real-time kernels that do not provide many of these protections.

Signed code. Flight software disk images could be digitally signed by the factory and protected from tampering. This could prevent the uploading of an unauthorized image and protect the integrity of the image stored onboard the satellite. Restarting an onboard computer using a signed disk image may afford the opportunity to return a system to a known good state.

Address-space randomization. The memory layout of flight software could be randomized each time a flight processor is rebooted. This would make it more difficult for a cyberattack to make assumptions about the memory locations and the offsets needed to exploit an existing flaw in the software.

Bus-spoofing protections. Most modern high-performance bus technologies are packet-switched, rather than broadcast-based. Many of these bus standards do not include protections against spoofing the source of information on the bus. Spoofing the source implies that a sender on the bus is masquerading as another sender. Spoofing protection could, for example, prevent a rogue subsystem from sending a false attitude control update to the main flight processor.

None of these features is new to terrestrial systems, yet they are rarely seen on flight systems. Inserting them into new flight systems offers an opportunity to reduce the risk and impact of cyberattack in an affordable, evolutionary way.

Some of the solutions for mitigating nonmalicious faults may also apply to malicious faults. Traditional techniques for handling radiation-induced single-event upsets have included memory scrubbing and periodic reboots of the flight processor. Variations of those approaches may work equally for malicious faults. One could envision scrubbing (rewriting) the memory containing the flight-software object code with a copy from the stored signed image. Periodic reboots might also serve to disrupt a transient/memory-resident malware attack.

Operational Resiliency

Aerospace has developed a framework for evaluating software architectures. This framework includes a set of dimensions, or categorized lists of focused questions to ask about the software architecture. This flowchart provides an example of how questions for the resiliency dimension might be defined at each level in the evaluation framework.

Cyber defense policymakers and system architects are working to achieve a level of operational resiliency similar to that afforded to traditional assets. This requires a cyberspace command and control system and a skilled team to maintain operational status and situational awareness. Because of the time and space compression of cyber warfare, the command and control system must be designed to send and process data at speeds consistent with cyber warfare engagements.

One way to achieve the necessary rapid response is through a peer-processing architecture designed with a native publish-and-subscribe messaging system and distributed virtual shared data spaces. The operational structure of such an architecture could be based on virtual cells that model the physical cells in a typical military command center.

Inherent in this architecture is the ability to rapidly move functional roles and cells to other locations on the network. This would allow, for example, a cell to transfer its state to a node running as a peer cell on another network. The continual movement of cells (and critical applications) via state transfer around a network increases resiliency against attacks by making the cells more difficult for attackers to find. A related strategy involves a new version of an operational cell.

Another component of the cyberspace command and control architecture is the engineering cell. The engineering cell has many roles, but one of its most important is to manage honeypots and deception strategies. A honeypot is an area of a protected network or computer resource designed to be infiltrated; the attacker believes he has uncovered a vulnerability, when in fact, his actions are being recorded and traced, without comprising any real security. In the case of the engineering cell, a honeypot might deploy, for example, an emulated air defense system using virtual machines. It would behave like a real air defense system, and could even autonomously respond to cyberattacks while simultaneously executing feint air defense actions, providing a further illusion of its legitimacy.

Conclusion

Effective mission resilience enables mission success. Program architects need to determine the critical aspects of space systems and apply innovation and rigor to ensure that they execute exactly as intended. Engineering decisions should be tied to the value of a mission and the asymmetric nature of the cyber domain. Although it is not feasible to try to counter all possible attacks, a billion dollar investment should not be at risk from a five-dollar attack. Achieving mission resiliency in a contested cyber domain requires the appropriate balance of architectural, operational, and defensive considerations applied across all space system segments.

Developers can no longer assume that space systems are isolated, pristine, and uncompromised, but must work to apply architectural frameworks that address resiliency. They need to think about how systems interact and are extended when defining requirements and acceptance criteria. Faster acquisition models are needed, along with new architectures that are truly modular and extensible. Most important, developers need to understand that the traditional battle space can no longer be viewed as a collection of discrete realms. Space, ground, and user segments are all nodes on a network—interconnected and interdependent.

Acknowledgments

Where is the cyberspace domain? Cyberspace is embedded in military and intelligence systems—the air, land, maritime, and space domains. Operations occur in whole or in part in cyberspace. This includes the use of computers, sensors, busses, displays, controllers, local area networks, hardware, firmware, and software (including operating systems and databases, middleware, and applications). The communication/networking infrastructure connecting these are data links, the Global Information Grid, and the Internet.

The author would like to thank James Donndelinger, Robert Lindell, Steven Meyers, John Nilles, Peter Reiher, Gregory Richardson, John Sarkesain, Mario Tinto, Alan Unell, and Richard Yee for their contributions to this article.

During the last two decades, the U.S. government and private sectors have come to heightened awareness of the challenges to national security that are emerging from cyberspace. News reports regularly highlight the vulnerability of industrial systems to intrusion and the resultant loss of massive amounts of data and even the loss of control over industrial processes. These challenges raise questions about the resilience of the functions of the economy and government while under cyberattack, including those functions provided by the national security space community.

As cyberspace becomes an increasingly contested domain, many aspects of national security space are also in flux. National security space has witnessed several periods of transition involving the nature of threats to space systems, the purpose and structure of space missions, the technologies that affect space system construction, and the role of systems in the missions they serve. Today, there are significant transitions occurring in all of these dimensions.

Many of today’s national security space capabilities were first conceived during the Cold War with well-defined and well-studied adversaries, and many of these capabilities (such as missile warning) were developed as isolated, single-mission systems. Today’s environment is dramatically altered and the threats are very different.

The strategic concerns of the Cold War are a relatively small, although still important, component of a much more complex environment today. The emphasis in the space community is now on fusing a wide variety of data sources to achieve information superiority for warfighters and intelligence analysts. This has created unrelenting pressure to connect information systems and to communicate all over the globe, including to users in the field. This connectivity is both an enabler and an Achilles heel: creating pathways for information to get out to authorized users can also help adversaries find pathways to get in to that same information.

Connectivity of systems is not the only source of vulnerability. If it were, then the solution would be simple but painful—disconnect the systems. This has been the response of last resort taken by several defense contractors under cyberattack in the last few years, but it would be a crippling response if it were necessary in the midst of an international conflict.

Another source of vulnerability is the increasing reliance on a wide range of commercially supplied hardware and software components that are manufactured throughout the world and provide ample opportunity for the introduction of malicious hardware and software. Any of today’s space system command and control centers contain a wide range of routers, firewalls, printers, desktops, telephones, video devices, disk farms, computing clusters, databases, Web servers, and other information processing capabilities, components of which may and probably do originate from indeterminate sources.

The inexorable trend of increased connectivity among national security space systems—with components of uncertain pedigree—amplifies the risks associated with system (and systems of systems) complexity. Increased complexity alone raises the risk of a cyberattack because more attention must be focused on managing the system just to achieve proper functioning, usually at the expense of attention on understanding the risks being created and new means of cyber intrusions. Whether or not increasingly complex systems (and even more complex systems of systems) can function properly under cyberattack becomes correspondingly more difficult to assess.

This complexity and the sheer magnitude of recent national security space systems have also changed the system acquisition process. Space systems are now acquired as separate segments with distinct acquisitions. These separate acquisitions make it harder to fully assess end-to-end behaviors when all of the segments are put into operation, and make it difficult to identify side effects or other unintended behavior under cyberattacks. The result is that developers often fail to obtain anything beyond a superficial understanding of the end-to-end system design, which reduces the effectiveness of understanding the true risks to the system.

New Technology Risks

Aerospace, along with its FFRDC partners, is focusing on space cyber domain issues that are unique to national security space throughout the acquisition lifecycle: concept exploration, military utility analysis, requirements definition, system architecting, system development oversight, deployment, and sustainment support.

The increasing pace of introducing new technologies into national security space missions creates another set of challenges in the cyberspace domain. For example, the need to make ground systems and mission processing systems more efficient—in effect, to do more with less—is fueling a desire to migrate terrestrial information technology capabilities to cloud services. Cloud computing allows computer users to tap into servers and storage systems scattered around the country and the world that are tied together by networks. Cloud services are designed to give users better, more reliable, more affordable, and more flexible access to much needed information technology infrastructures. On the other hand, the most significant barrier to adoption of clouds is trust: Will mission data confidentiality, integrity, and availability be better ensured by residing on the cloud? Will mission stakeholders be able to rely on the cloud? Will the cloud be as resilient and robust as the information would be in a more traditionally independent private operational environment? Aerospace is working with its customers to help them understand the vulnerabilities associated with cloud-based services.

Another area of concern is new mobile-user devices including smartphones, iPads, and other tablet computers, which are rapidly becoming integrated into the operational environment. As these new devices enable new concepts of operation, they introduce a dynamically changing need for service from national security space systems, as well as an increase in the need for adaptive, on-demand service provisions. Agile acquisition strategies and rapidly adaptable space asset architectures are becoming increasingly necessary to address the effects of these transformative and rapid technology changes. But these changes, as with migration to cloud environments, raise the specter of new vulnerabilities in national security space systems. Aerospace is conducting research on wireless security effects and countermeasures. In the future, new end-to-end assessment frameworks will be essential for understanding the dynamic system risks and for updating systems to address new threats.

Even the devices and software that are incorporated into national security space systems for the purpose of security represent an added level of complexity that makes managing systems a challenge. Firewalls and other devices that restrict information flow from one security regime to another, authentication and key management systems, access audit systems, and other mechanisms to control and observe possibly hostile access to mission critical information are themselves complex to develop, test, understand, configure, and control during operations. The result is that while some means of cyberattack may be attenuated by these mechanisms, others may be introduced, and the overall attack surface of the systems may become larger, and certainly becomes harder to understand. Furthermore, when systems with distinct mechanisms for implementing security policies are connected in new ways, inconsistencies may arise, introducing new gaps in the defense mechanisms that may be exploited by attackers.

Cyber Threats

Cyberattacks at all levels are difficult to detect, attribute, or stop. There is increasing evidence of attacks designed to collect intelligence and disrupt space operations. Low-end (cyber crime) and high-end (nation-state) attacks are underway. This chart illustrates the type of cyberattacks, targets identified, and effects of the attacks on computer and space systems. Courtesy of U.S. Air Force.

Concern about cyber vulnerabilities has been dramatically growing, commensurate with the number of publicly acknowledged successful penetrations into information systems. Many of these cyberattacks have focused on theft of personal information (such as social security numbers and credit card numbers) used for identity theft and financial gain. The trend rapidly evolved to include cyber intrusions to steal intellectual property from the government and from private industry. In the last 5 to 10 years, such intrusions have become multiyear cyber campaigns across a broad spectrum of government and industry. To defend against these attacks, an entire industry has arisen to provide security to enterprises and individuals who use and depend on the Internet. In a predictable response, cyberattacks have extended to this industry. For example, there have been significant attacks against cryptographic certificate and security providers in an attempt to gain authentication information that will enable future cyberattacks to pass through existing protection barriers.

This growing list of cases certainly represents an alarming trend, and the theft of information is a serious concern for the U.S. government. But this trend does not accurately foretell the kind of threat that will likely materialize during a conflict with a near-peer adversary. In fact, today’s cyber threats and attacks could be viewed as preparation of the (cyber) battlefield. As systems are penetrated to extract information, it is possible that implants are being put in place that could be called upon in times of conflict.

The most concerning threat during a cyber conflict will likely be attacks that disable systems through either overt action (such as denial of service) or covert action (subtle manipulation of data and systems). The latter is particularly worrisome because of the difficulty of identifying the threat, attributing attacks to adversaries, understanding the extent of compromise, and assessing the extent to which trust in the systems has been endangered. No commander wants to engage in a mission with equipment he or she cannot trust. Once systems are compromised during conflict, the impact may go beyond the specifics of the attack. Entire systems may become untrusted, and therefore unused. Deceptive false indicators and warnings can provoke this unfavorable condition, so that trust may be lost even though actual cyber compromise has not been achieved.

Protecting Space Systems

The current offensive/defensive posture in cyberspace is asymmetrical: the offense has a substantial advantage over the defense. Cybersecurity is only as good as its weakest link. Consequently, there is a need to defend everywhere, and executing the defense needs to happen perfectly. On the other hand, the offense need only succeed in identifying and exploiting the weakest link of a system to be successful. These types of attacks on space systems are not currently coming from everywhere, but they could come from anywhere.

Attacks can be directed at many layers of a system’s operational structure and can cross layers. These include a physical layer with wired and wireless communication media; a hardware layer of network interfaces, routers, antennas, encryption/decryption devices, firewalls, computers, printers and many others; a system software layer with firmware in many of the devices on a network and the operating systems, database management systems, Web servers, virtualized servers, etc.; an application software layer with a broad range of custom-developed and commercial-off-the-shelf software such as e-mail systems, document management systems, and collaboration tools; and a mission layer that comprises the unique software and hardware used to accomplish a particular mission (such as missile warning).

For defense in the cyber domain, each layer must be protected in its own way. Much attention has been focused on protecting the physical and network layers of national security space systems. However, an attacker who introduces malware at higher layers can bypass these layers. Similarly, the best efforts to protect applications can be bypassed by attacks at the physical layer. All of these layers can be bypassed through social engineering. This involves manipulating the people who conduct the interface through malicious tactics like spear phishing, which consists of targeting people with apparently authentic personal appeals that, when responded to, unleash malware on their system and enterprise.

While the offense has a clear edge over the defense, it is important not to overestimate the capabilities of attackers, which could result in paralysis and an incorrect conclusion that the situation is hopeless. The offense does have a great advantage in being able to generally penetrate systems, exfiltrate data, and perform denial of service attacks. However, achieving specific effects is not as straightforward. An analogy can be made to the contrast between going fishing and catching a specific fish (no pun intended). Designing an attack to target a very specific component of a system—to achieve a specific effect such as altering a command sequence on a satellite—is a very challenging engineering problem. Much of what is happening today consists of relatively broad attacks intended to achieve broad effects.

However, there have been successful attacks to achieve specific effects by advanced persistent threat actors, who have sufficient motivation and resources to develop and conduct precision cyberattacks. For example, several cybersecurity researchers who reverse-engineered components of the widely publicized Stuxnet worm have commented that Stuxnet could have only been developed by a highly skilled team with extensive financial and intelligence resources. Stuxnet attacked supervisory control and data acquisition (SCADA) capabilities governing cyber-physical systems that conduct processes in the real world, and it was reputedly able to damage those systems, disrupting their processes. It is an example of malware whose impact moves beyond cyberspace into the physical world, with potentially deadly consequences. National security space systems are also cyber-physical systems engaged in processes critical to the nation’s security, so it is natural and appropriate to be concerned about cyber threats like Stuxnet.

Stuxnet-like attacks are not simple to execute; the attackers are challenged in testing the attacks in a representative environment and understanding the effectiveness of a particular attack after it has been deployed. In this regime of cyber conflict, the defense has significant opportunities to improve its prospects for protection. For example, introducing variability in a particular system may make the design of an attack more challenging. Creating countermeasures that introduce uncertainty for attackers can also be an effective defense, and in some cases, even act as a deterrent.

Still, the challenge of defending national security space systems from Stuxnet-like and other cyberattacks is daunting, especially if the adversary is an advanced persistent threat actor. Recent history has made it clear that these threats cannot be entirely kept out of any system important enough to attack. It is prudent to assume that such adversaries may already be in U.S. space systems, or will eventually be, and therefore the biggest cyber challenge has become what to do once they are in.

Aerospace is building upon one of its core strengths, information assurance, by adding to existing corporate expertise in the area of computer science engineering and technology. The corporation is working to understand the vulnerabilities posed to space systems via cyberattack. Aerospace is leveraging its expertise across the national security space community and is working closely with other FFRDCs to better understand the challenges and opportunities presented in the world of cyber.

Mission Resilience

According to recent studies by the U.S. Air Force Scientific Advisory Board, the viability and predictability of successful attacks from advanced persistent threat actors mandates that attention be focused on the need for the United States and allied military forces to be able to “fight through and continue to operate” in the presence of attacks on the cyberspace infrastructure. The need for missions to be resilient in the presence of attacks and counterattacks has always been a preoccupation of military strategists and tacticians. However, the difference now is that attacks may be launched and conducted in part or in whole in cyberspace, and many traditional yardsticks by which to measure the resilience of missions (and of the systems they use) are no longer sufficient or even applicable.

Migration from a protection perspective to a resilience perspective requires several key activities. Resilience implies that the functionality of a system will continue despite the challenges that come with an attack. While continuity of missions is a key goal of resilience, continuity at full strength of all aspects of an entire mission is unrealistic—invariably the mission would be somewhat degraded. In this case, one solution might be that some lower-priority tasks have to be discarded—lower performance for certain missions may be acceptable and some “nice to have” sources of data may be discontinued.

Designing for resilience requires a thorough understanding of what the critical cyber components of a system are and how they impact a mission. These could be low-level items such as a database or switch, or a higher-level subsystem, such as command and data handling or a mission planning system. Identifying these elements requires an in-depth understanding of the mission, how it is performed (tactics, techniques, and procedures), the elements of information required to conduct the mission, the interdependencies among those elements, and the cyber components that are necessary to the flow of those elements. In the case of space cyber, analyzing criticality of components requires an intimate knowledge of the satellites, payloads, mission planning software, and the mission effect of the national security space system’s products.

Aerospace is supporting the Department of Defense in developing policies that extend to these program protection areas. As part of the Mission Assurance Improvement Workshop, Aerospace is working with the government and contractors to develop guidance for acquisition, development, and operations to improve space segment information assurance and mission resilience. Aerospace is also conducting research on the impact to space systems resiliency when trust in critical information is lost in varying degrees as a result of cyberattacks and other threats.

Implicit in mission resilience is that some particular functionality in a system may have to be sacrificed to enhance the continuity of the mission. Limiting the loss of functionality may not always be possible depending on the overall architecture (software and hardware) of a system. Identifying the most critical cyber components enables tactics for resilience to be employed in a cost-effective way, such as introducing redundancy of critical components but not ancillary ones, or architecting systems to allow for separation and isolation of mission functions.

Monolithic systems are quite challenging to secure from cyberattacks because even an attempt to sacrifice some functionalities to save others may not increase security by an appreciable amount. For example, intermixing mission-critical ground segment functions on the same local networks as nonmission-critical functions may not only compromise the security of one function, but also might prevent the implementation of any measures to reconstitute another impaired function. Similarly, the information architecture on spacecraft may depend on a single spacecraft bus to the extent that isolation of compromised payload functions may not be possible, jeopardizing the mission impact of the other payloads involved. The goal is to understand the role of cyber-critical components, allowing for a carefully articulated assurance profile that reflects different degrees for some elements, rather than one uniform bar that is so high as to be effectively ignored, or so low as to be useless.

In support of national security space customers, Aerospace developed a framework for assessing software architectures to ensure they are being built to meet current and future mission needs. The framework has been extended to include emerging needs for system and mission resilience, especially related to mission resilience in the contested cyberspace domain. This enhanced assessment framework is being applied to ongoing customer programs, and refinements are being introduced based on lessons learned.

Traditional domains are characterized by kinetic activity; the cyberspace domain is characterized by virtual activity. While threats against national security space assets and information may involve any and all domains, particular attention is focused on “space cyber,” found at the intersection of space and cyberspace.

One area that is notoriously difficult to secure is conventional Web-based architectures (designed using World Wide Web technologies). To address this challenge, Aerospace is exploring new Web architecture concepts, which are compatible extensions of conventional techniques, and are expected to enable trusted sharing among mutually suspicious networked parties.

One foundational component of mission continuity while under attack is cyber situational awareness. To effectively defend a system there needs to be knowledge that an attack is underway. The words “under attack” evoke thoughts of distributed denial of service attacks coming over a network, but a more accurate definition may be that the system is compromised, and that action by an adversary is having an effect on the system or its information. For example, a system under attack could be one in which data in a system has been altered, or one for which certain command sequences to a satellite have been modified to achieve a desired effect.

Recognizing when such sophisticated attacks are underway is perhaps the greatest challenge of cyber situational awareness. By comparison, recognizing that data is being exfiltrated from a system is a relatively simple task. For example, a rudimentary form of an attack recognition process involves checking the checksum of an executable program to determine if it has been modified. While this primitive check can be easily circumvented, the introduction of a number of simple consistency checks could significantly enhance situational awareness and make it more difficult for compromises to go undetected. However, sometimes understanding the cyber situation proves more challenging. Situational awareness may require the use of multiple sources (trusted to different extents) to identify discrepancies in systems; likewise, warnings and indicators signaling an attack may be underway might require more sophisticated follow-up analyses to confirm the existence and nature of the attack.

Aerospace is working with DOD, the intelligence community, and the civil space sector on information assurance and cybersecurity services. This chart details some of Aerospace’s customers and the work being done for them in the cyber realm.

Aerospace has a broad spectrum of research projects underway that are focused on developing techniques and technologies for cyber situational awareness. One project looks at individual satellites and addresses onboard techniques for autonomous threat detection, assessment and recovery, and the design of feasible trusted computing and communication mechanisms on board. A second project focuses on the design of a distributed system-of-systems architecture that enables timely sharing of multiple-source threat/attack data to concurrently generate and update local and global situational awareness pictures and conducts collaborative assessment with tailored information sharing on demand. A third project addresses enterprise-level network anomaly detection, and a fourth explores the use of satellite-based communication to introduce timely trust assessment of routers in a TCP/IP networking architecture.

Resilience in systems also requires the identification and development of countermeasures that can be automatically triggered or put in the hands of system operators. Countermeasures are well understood in the air and maritime domains, but they are not as well understood in the cyber domain. In physical domains, countermeasures are developed to address specific attacks or specific classes of attacks (e.g., heat-seeking surface-to-air missiles). In the cyber domain, countermeasures are rarely focused on specific threats because they are evolving so rapidly. Countermeasures need to be more generic and address broader classes of attacks.

Defensive countermeasures in the cyber domain might involve a simple virus check, or they could be as complex as presenting to the public interface a honeypot or honeynet—a deceptive substitute for the actual system under attack—or modifying the network topology (disconnecting some systems or subnetworks, and reconnecting them only when adequate boundary defenses can be employed). Another possibility involves reconstituting a system on alternate hardware or software, or reconstituting databases from known trusted sources. How to reconstitute systems by automatic or semiautomatic migration of computational and informational objects is an ongoing area of research at Aerospace.

Cyber countermeasures, much like those in the air, terrestrial, and maritime domain, are generally intended to get a system into a configuration that may be degraded in functionality but is more resistant to continued attack. Developing and employing such countermeasures requires a clear understanding of classes of attacks (at different levels), strong knowledge of the critical components of a system that are needed to continue to operate, effective predictive modeling of the potential consequences of employing countermeasures, and decision aid tools for the employment of countermeasures that require human intervention. The choice of which countermeasures to employ may depend on the degree of confidence operators have that the actual cyber situation is well understood, and that the countermeasure will achieve the desired effect.

This illustrates that an essential component of national security space mission resilience is the vigilant, well-trained operator. While defense of cyber systems will require some autonomous response, human engagement will nearly always be required. Aerospace anticipates that the current organizational distinctions between cyber operations specialists and space system and mission operators will be refined over time to yield more effective and timely responses to adversarial cyber intrusions and attacks. Future national security space systems operators will need significantly greater training in cyber situational awareness, in the understanding and use of countermeasures, and in the ability to use systems with degraded functionality. The Aerospace Institute, the education and training arm of The Aerospace Corporation, is developing a cybersecurity curriculum designed to address some of the needs found at the intersection of space and cyberspace.

Further Reading

D. Alperovitch, “Revealed: Operation Shady RAT. An Investigation of Targeted Intrusions Into More Than 70 Global Companies, Governments, and Nonprofit Organizations During the Last Five Years,” McAfee, http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf (as of Nov. 8, 2011).